A Cautionary Tale About The Internet Of Things And The CRFA
Thursday, April 06, 2017
The internet-of-things devices consumers installed in their homes aren't really theirs. Oh, consumers paid good money for these smart devices, but the devices aren't really theirs. How so you ask? The cautionary tale below explains.
Unhappy with Garadget, an internet-connected garage-door opener he bought, Robert Martin posted negative reviews on both Garadget's official discussion board (username: rdmart7) and on Garadget's Amazon page. Unhappy with those negative reviews, Denis Grisak, the device's creator, responded initially by disabling internet access to the mobile app Martin used to operate his device. Grisak angrily said Martin could return his device for a refund.
You might call that a digital mugging.
The disagreement escalated and Grisak also disabled Martin's access to the Garadget discussion board and to Martin's online profile. You can read the entire story by The Atlantic. There are several items to learn from this incident. First, as The Atlantic concluded:
"Even just an angry moment can turn a smart device into a dead one."
Clearly, the device creator overreacted by disabling internet access. Grisak later softened his position and restored Martin's online connections. However, the incident highlights the fact that in the heat of the moment, angry (or ethically-challenged) and revengeful device makers can easily and quickly disable smart devices. It doesn't matter that consumers legally paid for those devices.
Second, end-user license agreements (EULA) matter. Terms of service policies matter. Most consumers never read these documents, and they matter greatly. The incident is a reminder of the "gag clauses" some companies insert into policies to silence negative reviews. This incident highlights a technical tactic ethically-challenged device makers can use to enforce gag clauses.
And it's not only device makers. In 2009, some physicians tried to force patients to sign, “Consent And Mutual Agreement to Maintain Privacy” (MAMP) policy documents. Don’t be fooled by the policy name, which is a fancy label for a gag clause. The policy document usually requires the patient to give up their rights to mention that physician on any social networking sites.
Third, legislation and consumer protections matter. The Atlantic reported:
"Some commenters on Amazon and Hacker News wondered whether Grisak’s public online revenge was legal. One person encouraged Martin to reach out to his state attorney general’s office. That’s a complicated question... A bill signed into law signed in December prohibits companies from including “gag clauses” in the contracts they enter into with customers, meaning they can’t bring legal action against someone just for a negative review."
That new law is the "Consumer Review Fairness Act" (CRFA - H.R. 5111) which protects consumers' rights to share their honest opinions online about any product or service.The U.S. Federal Trade Commission (FTC) explains the CRFA and provides guidance:
"The law protects a broad variety of honest consumer assessments, including online reviews, social media posts, uploaded photos, videos, etc. And it doesn’t just cover product reviews. It also applies to consumer evaluations of a company’s customer service... the Act makes it illegal for a company to use a contract provision that: a) bars or restricts the ability of a person who is a party to that contract to review a company’s products, services, or conduct; b) imposes a penalty or fee against someone who gives a review; or c) requires people to give up their intellectual property rights in the content of their reviews.
The [CRFA] makes it illegal for companies to include standardized provisions that threaten or penalize people for posting honest reviews. For example, in an online transaction, it would be illegal for a company to include a provision in its terms and conditions that prohibits or punishes negative reviews by customers. (The law doesn’t apply to employment contracts or agreements with independent contractors, however.) The law says it’s OK to prohibit or remove a review that: 1) contains confidential or private information – for example, a person’s financial, medical, or personnel file information or a company’s trade secrets; 2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit, or is inappropriate with respect to race, gender, sexuality, ethnicity, or other intrinsic characteristic; 3) is unrelated to the company’s products or services; or 4) is clearly false or misleading."
However, the CRFA won't stop device makers from disabling the mobile apps and/or smart devices of consumers who have posted negative reviews. And, an online search easily retrieves physicians' sites still displaying MAMP policy documents. I guess that not everyone is aware of the CRFA.
Fourth, the consumer backlash has begun against smart devices with allegedly poor security. The @Internetofshit blogger (on Twitter and on Facebook) tracks and discusses such devices and device makers' actions that allegedly violate the CRFA. The discussion recently included Garadget:
What are your opinions of the Garadget incident? Of the CRFA? Of smart device security?
You can follow this conversation by subscribing to the comment feed for this post.